Memory leak in graphicsmagick (Alpine package)

1) Memory leak

EUVDB-ID: #VU15461

Risk: Low

CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2018-18544

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leak in the WriteMSLImage function, as defined in the coders/msl.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input, trigger memory leak and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

graphicsmagick (Alpine package): 1.3.33-r1 - 1.3.34-r0

CPE2.3

• cpe:2.3:o:alpine:graphicsmagick_alpine_package:1.3.33-r1:*:*:*:*:alpine_linux:*:3.10
• cpe:2.3:o:alpine:graphicsmagick_alpine_package:1.3.34-r0:*:*:*:*:alpine_linux:*:3.11

External links

https://git.alpinelinux.org/aports/commit/?id=d0ff5181c1c8b82644c23b856065eb40b0811dc3
https://git.alpinelinux.org/aports/commit/?id=6b4a2e3bab6c54afe6722bda8e75833c8d80778b
https://git.alpinelinux.org/aports/commit/?id=f2ad329cc3291f5c66a6c324a27a44cfe0c42c5e
https://git.alpinelinux.org/aports/commit/?id=7265f5c68465fbf270b08e5b5afab0c89bebdcff
https://git.alpinelinux.org/aports/commit/?id=9aa6f1864ecdab720ef92348b15660fd036b12b0
https://git.alpinelinux.org/aports/commit/?id=49f02237bafd3d3005a5791741d775c1380eddf4
https://git.alpinelinux.org/aports/commit/?id=d4d73543a48ca18ae905200443cacdf97da41f6e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.